With more web applications exposing RESTful (or REST) APIs for ease of use, flexibility and scalability, it has become more important for web application security teams to test and secure those APIs. But APIs (including REST APIs) introduce some behaviors that make it difficult for web application scanners to test them for vulnerabilities.

New features in Qualys Web Application Scanning (WAS) overcome these difficulties.

Continue reading …

Web application scanners often struggle to scan applications that incorporate parameters into their URL paths, specifically web apps that use URL-rewrite techniques or web apps with REST APIs that take URL parameters. One key approach is to fuzz the application’s URL parameter inputs in order to identify possible injection points for malicious code. But without knowledge of the URL structure, it’s difficult for scanners to fuzz those parameters efficiently and with full coverage, which is required for an effective scan.

Continue reading …